Force Torrent Traffic through VPN Split Tunnel on Ubuntu 14.x

In this guide we will show you how to configure your Ubuntu Server 14.04 LTS for Split Tunneling with OpenVPN. You will be able to route your torrent traffic over your VPN connection, while everything else will have direct access, bypassing the VPN. We are essentially separating the network traffic on your server.

You will have full control over which applications you want to route over VPN. Additionally, it has an “Automatic Kill Switch” implemented with firewall rules, meaning if your VPN connection drops or breaks for any reason, your real IP address will not be revealed. DNS leaks are also prevented, and remote access to your Torrent client of choice (Transmission or Deluge) is possible with nginx reverse proxy. Sounds great? Lets proceed!

We cannot emphasize enough how important is to protect your online privacy. For this purpose we would certainly recommend using a VPN (Virtual Private Network) with OpenVPN. You can choose from many paid VPN servers. Always read their Privacy Policy, and consider the quality of the service for the price, choose one you trust. In this guide we will use Private Internet Access (PIA) as the VPN provider, in my experience configuring others will not differ too much.

Important: This guide is written for Ubuntu Server 14.04 LTS and uses upstart script. It might work on other Linux distributions, but it is guaranteed to work on Ubuntu Server 14.04 LTS. For systems that use Systemd (like Ubuntu Server 16.04 LTS, Debian 8 (Jessie), Minibian (that is based off Debian 8), etc., systemd is required instead of upstart script. For Minibian installation of additional packages is required! A guide for systemd systems will be published soon, until then you can check the forum for help.

Why Split VPN Tunnel?

If you are running a home server based on Ubuntu Server and you configure your OpenVPN client, you will be completely tunneled over the active VPN connection. But what if we would like to tunnel only few applications’ traffic over VPN (for example Transmission or Deluge) and allow everything else direct connection? This is called split tunneling the VPN connection. What if your VPN connection breaks because the VPN server is offline? Without proper firewall rules you will automatically fall back to your direct Internet connection and immediately expose your real IP address. This poses privacy and anonymity risks!

The Benefits of VPN Split Tunneling

Control

You can select which services/applications should be tunneled over the VPN connection by running the selected services/application as vpn user, therefore you can protect your identity

Automation

The VPN connection with Split Tunneling is started automatically on each system start, restarted automatically once the VPN provider is online again

Increased Safety

If the VPN connection breaks, the vpn user is “disconnected” from the Internet (Automatic Kill Switch), if VPN connection is established again, vpn user will have access to Internet again over VPN. This ensures that your real IP address is never exposed publicly, only the IP address assigned by VPN provider is visible.

Increased Convenience

You retain you direct internet connection for all the other users, bypassing the VPN for services/applications that don’t require you to hide your real IP address

Keep Remote Access

You will still be able to remotely manage your services by reverse proxy!

This is a detailed guide how to configure Ubuntu Server 14.04 LTS for Split Tunneling over a VPN. This is an advanced and detailed guide but every effort has been made to make it friendly for new users with basic Linux knowledge. Should anything go wrong, feel free to comment or post on the Forum, we will do our best to help you.

This is Part 1 of the split tunnel guide. In this guide you will create and configure the vpn user.

In Part 2 of upcoming guides you will configure your torrent client (Transmission or Deluge guide) to run as the VPN user.

Here is an overview of all the steps in Part 1:

Install and configure OpenVPN (including auto connecting to VPN server on system start)

Install OpenVPN

The Ubuntu repository is not always up to date. It is best to use the latest OpenVPN release to make sure you have the latest security fixes. It is quite easy to build OpenVPN from source (stay tuned for a guide on how to build OpenVPN from source), but let’s check if the current version of OpenVPN is available from the Ubuntu repository.

sudo apt-get update
sudo apt-cache policy openvpn

This will show you the version of OpenVPN in the Ubuntu repository. At the moment of writing this guide, it is version 2.3.2, quite behind the latest stable release. You can always check on the official OpenVPN site for the latest version (and the changelog too).

Note: if you are using an ARM device (like Raspberry Pi) do not add the OpenVPN repository, just install OpenVPN from the repository of the distribution you are using.

Latest OpenVPN releases are available in the OpenVPN project’s apt repositories.

Create PIA Configuration File for Split Tunneling

We need to modify the configuration file provided by PIA to adjust it for the Split Tunneling. We will use the Sweden VPN server, but you can use any of the available servers – more on this later. For best VPN performance (especially for torrents) I strongly recommend using UDP protocol, and not TCP.

Make OpenVPN Auto Login on Service Start

The username and password for PIA will be stored in a login.txt file, this way OpenVPN can auto connect on service start. Create the txt file

sudo nano /etc/openvpn/login.txt

Enter your PIA username and password

USERNAME
PASSWORD

Hit Ctrl+X, Y to save and exit.

Configure VPN DNS Server

Next we are going to prevent DNS leak. DNS Leaks are the primary reason your real identity gets exposed even if using VPN. You can read more about DNS leaks at this location.The update-resolv-conf script that comes with OpenVPN will automatically apply the preferred DNS servers when OpenVPN connects.

This script will make sure that when using OpenVPN you are not subject to DNS leak. We will use PIA’s DNS Servers (209.222.18.222 and 209.222.18.218) and Google’s (8.8.8.8) as a third option. Of course, you are free to use the DNS servers you trust and prefer. It is advised to change the local DNS to a public one even if you are not using VPN. If you are behind a router (and you probably are), it is also a good practice to configure public DNS address on the router too.

Split Tunneling with Iptables and Routing Tables

We will use iptables to mark packets from a user (in our case vpn), and then use routing tables to route these marked packets through the OpenVPN interface, while allowing unmarked packets direct access to the Internet.

Create vpn User

Create the user vpn, all of the applications you want tunneled over VPN will run as this user. For example, you should run Transmission or Deluge as the vpn user. At the end of this guide you will see the links to our guides on how to configure Transmission and Deluge with Split Tunneling.

Create vpn user with no login option

sudo adduser --disabled-login vpn

I suggest to leave personal details blank, just proceed with Enter, and finally answer Y to create vpn user. We disabled login for the vpn user for security reasons.

We are going to use vpn user to run services (like Torrent client), it is recommended to add your regular user to the vpn group and vpn user to your regular user’s group to avoid any permission issues.

Replace username with the user you would like to add to the vpn group

sudo adduser username vpn

Replace group with the group name of your regular user that you would like to add vpn user

sudo adduser vpn group

Get Routing Information for the iptables Script

We need the local IP and the name of the network interface. Make sure you are using a static IP on your machine or reserved DHCP also known as static DHCP.

eth0 is the network interface (NETIF), and 192.168.1.130 is the local IP address (LOCALIP). You will need to enter these two into the following script, which we are going to create now.

UPDATE (8 November 2016): thanks to a feedback by our member Jesus, we are now addressing a vulnerability related to the VPN Split Tunnel implementation. If the PIA login credentials are not correct, then OpenVPN will not establish the VPN connection, therefore the firewall rules are not applied (since OpenVPN will execute up scripts only on successful connection). The result is not having the kill switch enabled (iptables rules loaded) and vpn user has direct access to Internet. To prevent this scenario, we will implement a permanent firewall rule to block vpn user’s access to Internet until the OpenVPN tunnel is up and functional, and the required scripts are started. This will prevent any IP leaks even if no connection to PIA is possible for any reason.

Flush current iptables rules

sudo iptables -F

Add the following rule, which will block vpn user’s access to Internet (except the loopback device). Note, if you configured Split Tunnel with different user then vpn, then change vpn marked in red to the user you used.

sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP

Now install iptables-persistent to save this single rule that will be always applied on each system start.

sudo apt-get install iptables-persistent -y

During the install, iptables-persistent will ask you to save current iptables rules to /etc/iptables/rules.v4 as seen on the screenshot, accept this with YES

Now when system starts, vpn user is not able to access Internet. If the OpenVPN service is started successfully, then this rule is flushed (only until the next system restart), and the Split Tunnel rules are applied.

iptables Script for vpn User

The first script will mark the packets for vpn user that will be routed by the second script.

Create the iptables script

sudo nano /etc/openvpn/iptables.sh

Copy the following to the iptables.sh script, and make sure you enter the network interface and the local IP we identified and marked with red and blue respectively.

You can see the comments for each section about the function of the given part of the script. If you are interested in more details about iptables, a good starting point is the Official Ubuntu Documentation.

Remember, this script will flush your existing iptables rules (UFW included), therefore you need to add your own rules into this script if you need any additional rules.

Change Reverse Path Filtering

Next we need to change the default level of reverse path filtering to ensure the kernel lets the traffic get routed correctly. By default it is set to value of 1 that is “strict mode”. It is not necessary to disable reverse path filtering completely, but we need to set it to level 2, “loose mode”.

Create a reverse path filter file for the vpn user

sudo nano /etc/sysctl.d/9999-vpn.conf

Copy the following, make sure you use the correct network interface name in the third line marked with red (remember the ip route list command from before and the output, in our case it was eth0)

Testing the VPN Split Tunnel

I recommend a system restart, and if everything was configured properly, you should have a VPN connection enabled for user vpn and all the other users on your server should have direct access to Internet. Now lets check if everything is correct.

Test OpenVPN service

Login as your regular user over SSH, and check if OpenVPN has started correctly

sudo service openvpn status

This should return

openvpn start/running, process xxxx

If you get this output

openvpn stop/waiting

Something went wrong. We configured OpenVPN to log into /var/log/syslog, you can check if there is a log of the error. For troubleshooting you can set output verbosity in the openvpn.conf file to a higher level, I would recommend 3. You can always ask for help in the forum section. Remember to set verbosity level back to 1 if you don’t need more detailed logs anymore.

Check IP address

Still using the SSH session for the regular user, check the IP address

curl ipinfo.io

It will return your IP and depending on how much information is provided, the country should be listed in each case. Obviously, it should be your ISP now and your location.

Now check the IP address of the vpn user with

sudo -u vpn -i -- curl ipinfo.io

If everything went fine, it should return the IP address and the country of the VPN server you selected. If you used Sweden server, then the country should be “SE”. It is very important that the IP address for user vpn should be different then your regular user’s IP.

In my case for user vpn and using Sweden PIA server I have the following output

Archives

Archives

DISCLAIMER

The information on HTPC Guides is for educational purposes and only condones obtaining public domain content. HTPC Guides is not responsible for content from any other site or provider. By using the links provided on this site you agree that neither this site nor its proprietor is in any way responsible for any damages or liability arising from use of external content.

Copyright

The information on this site is the intellectual property of the owner. Credit to other sources is provided where relevant. If you believe any information has not been sourced, please leave a comment and appropriate action will be taken.